[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Attribute Name Length Bounds

To: "'Jim Sermersheim'" <jimse@novell.com>, <ietf-ldapbis@OpenLDAP.org>
Subject: RE: Attribute Name Length Bounds
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Fri, 1 Aug 2003 15:24:40 +1000
Importance: Normal
In-reply-to: <sf16a7e1.057@prv-mail20.provo.novell.com>

Jim,

Jim Sermersheim wrote:
> I also see that we could just add "or exceed server limits" to the end of
the phrase "or the
> encoding structures or lengths of data fields are found to be incorrect"
in the first
> paragraph. But I'm not sure...
>
> This section talks about data that is either malformed or cannot be/is not
recognized, so it
> seems like a good fit. It splits the problems into two classes (those that
cause the
> connection to terminate, and those that simply return protocolError).
>
> Adding the change above causes a connection termination. The change Bob
suggests allows one
> to differentiate between something that looks like an attack (say some
size is 20gb), and
> something that simply exceeds a small limit, and act accordingly.
>
> Which seems more correct to others (and do both seem incorrect to anyone)?

Returning protocolError in response to a limitation in the server does not
seem appropriate to me. A protocolError suggests that the client has done
something wrong when in fact it is the server that has the problem. The
unwillingToPerform error is more appropriate in such circumstances.

Regards,
Steven

Next by Date: Comments about draft-ietf-ldapbis-authmeth-05.txt
Index(es):
- Chronological
- Thread